forked from gajos112/OSCP
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathNMAP.txt
144 lines (92 loc) · 5.99 KB
/
NMAP.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
-----------------------------SIMPLE SCAN----------------------------
1. Nmap Target Selection
Scan a single IP
- nmap 192.168.1.1
Scan a host
- nmap www.testhostname.com
Scan a range of IPs
- nmap 192.168.1.1-20
Scan a subnet
- nmap 192.168.1.0/24
Scan targets from a text file
- nmap -iL list-of-ips.txt
These are all default scans, which will scan 1000 TCP ports. Host discovery will take place.
-----------------------------PORTS SELECTION----------------------------
2. Nmap Port Selection
Scan a single Port
- nmap -p 22 192.168.1.1
Scan a range of ports
- nmap -p 1-100 192.168.1.1
Scan 100 most common ports (Fast) <-----------------FAST TEST
- nmap -F 192.168.1.1
Scan all 65535 ports <-----------------ALL PORTS
- nmap -p- 192.168.1.1
-----------------------------SCAN TYPES----------------------------
3. Nmap Port Scan types
Scan using TCP connect
- nmap -sT 192.168.1.1
Scan using TCP SYN scan (default)
- nmap -sS 192.168.1.1
Scan selected ports - ignore discovery
- nmap -Pn -F 192.168.1.1
Scan UDP ports
- nmap -sU -p 123,161,162 192.168.1.1
Privileged access is required to perform the default SYN scans. If privileges are insufficient a TCP connect scan will be used. A TCP connect requires a full TCP connection to be established and therefore is a slower scan. Ignoring discovery is often required as many firewalls or hosts will not respond to PING, so could be missed unless you select the -Pn parameter. Of course this can make scan times much longer as you could end up sending scan probes to hosts that are not there.
-----------------------------VERSION DETECIOTN----------------------------
4. Service and OS Detection
Detect OS and Services
- nmap -A 192.168.1.1 <-----------------SYSTEM OPERACYJNY
Standard service detection
- nmap -sV 192.168.1.1 <-----------------SERVICE VERSION
More aggressive Service Detection
- nmap -sV --version-intensity 5 192.168.1.1
Lighter banner grabbing detection
- nmap -sV --version-intensity 0 192.168.1.1
Service and OS detection rely on different methods to determine the operating system or service running on a particular port.
The more aggressive service detection is often helpful if there are services running on unusual ports.
On the other hand the lighter version of the service will be much faster as it does not really attempt to detect the service simply grabbing the banner of the open service.
-----------------------------OUTPUT TO FILE----------------------------
5. Nmap Output Formats
Save default output to file
- nmap -oN outputfile.txt 192.168.1.1
Save results as XML
- nmap -oX outputfile.xml 192.168.1.1
Save results in a format for grep
- nmap -oG outputfile.txt 192.168.1.1
Save in all formats
- nmap -oA outputfile 192.168.1.1
The default format could also be saved to a file using a simple file redirect command > file. Using the -oN option allows the results to be saved but also can be monitored in the terminal as the scan is under way.
-----------------------------NSE SCRIPTS ------------------------------
6. Digging deeper with NSE Scripts
Scan using default safe scripts
- nmap -sV -sC 192.168.1.1
Get help for a script
- nmap --script-help=ssl-heartbleed
Scan using a specific NSE script
- nmap -sV -p 443 –script=ssl-heartbleed.nse 192.168.1.1
Scan with a set of scripts
- nmap -sV --script=smb* 192.168.1.1
According to my Nmap install there are currently 471 NSE scripts. The scripts are able to perform a wide range of security related testing and discovery functions. If you are serious about your network scanning you really should take the time to get familiar with some of them.
The option --script-help=$scriptname will display help for the individual scripts. To get an easy list of the installed scripts try locate nse | grep script.
You will notice I have used the -sV service detection parameter. Generally most NSE scripts will be more effective and you will get better coverage by including service detection.
-----------------------------DDOS REFLECTION UPD------------------------------
7. DDOS reflection
A scan to search for DDOS reflection UDP services
- nmap –sU –A –PN –n –pU:19,53,123,161 –script=ntp-monlist,dns-recursion,snmp-sysdescr 192.168.1.0/24
UDP based DDOS reflection attacks are a common problem that network defenders come up against. This is a handy Nmap command that will scan a target list for systems with open UDP services that allow these attacks to take place. Full details of the command and the background can be found on the Sans Institute Blog where it was first posted.
-----------------------------HTTP SERVICES----------------------------------
8. HTTP Service Information
Gather page titles from HTTP services
- nmap --script=http-title 192.168.1.0/24
Get HTTP headers of web services
- nmap --script=http-headers 192.168.1.0/24
Find web apps from known paths
- nmap --script=http-enum 192.168.1.0/24
There are many HTTP information gathering scripts, here are a few that are simple but helpful when examining larger networks. Helps in quickly identifying what the HTTP service is that is running on the open port. Note the http-enum script is particularly noisy. It is similar to Nikto in that it will attempt to enumerate known paths of web applications and scripts. This will inevitably generated hundreds of 404 HTTP responses in the web server error and access logs.
------------------------------Heartbleed--------------------------------------
9. Detect Heartbleed SSL Vulnerability
- nmap -sV -p 443 --script=ssl-heartbleed 192.168.1.0/24
Heartbleed detection is one of the available SSL scripts. It will detect the presence of the well known Heartbleed vulnerability in SSL services. Specify alternative ports to test SSL on mail and other protocols (Requires Nmap 6.46).
-----------------------------IP ENUMERATION----------------------------------
10. Find Information about IP address
- nmap --script=asn-query,whois,ip-geolocation-maxmind 192.168.1.0/24